ISAE 3402 | SOC1

ISAE 3402 is a guarantee that processes that are outsourced are demonstrably "in control". "In control" means that processes are executed properly, that information security is adequately organized and that sufficient measures are taken to prevent fraud. ISAE 3402 is increasingly demanded by financial institutions, listed organizations, and professional companies. To become ISAE 3402 certified you need a Service Organization Control report 'certified' by an accountant. ISAE 3402 should not be confused with ISAE 3000.

A Service Organization Control (SOC) report is a term from the United States for reporting on the internal control of a service organization. A SOC contains a description of the risk management organization, the internal control system and the information security measures. It is usual to include a general description of the internal control system and a control matrix (CM) in an ISAE 3402 (SOC) report, which includes detailed internal control measures

Outsourcing can cover almost any process. The IT organization can be outsourced, but also, for example, the processing of financial processes or the credit management process. Organizations increasingly outsource (parts of) important processes. As a result, important control measures (controls) can get out of sight of the management of the user organization and less influence can be exerted on the implementation of the processes that are outsourced.

The ISAE 3402 standard was created because organizations and regulators had a greater need for insight into and control of outsourcing. As a result, supervisory authorities such as the Dutch Bank (DNB) and the Netherlands Authority for the Financial Markets (AFM), the government in general and possibly your customers also ask questions or requirements with regard to reporting on the (control of) outsourced processes. Parties require a solid risk management framework, sound information security and transparency about this.